" If you don't want to set write access on the whole folders, which is
recommended for security reasons, give to the web server user write access on
these folders : "

Is this a recommended practice.?

3) Also another LMS (Learning Management System) while installing asked to give
some folders writeable and executable for every one
here is a link
http://atutor.ca/atutor/docs/installation.php
While installing it I got a message

“The directory you specify must be created if it does not already exist

and be writeable by the webserver. On
Unix machines issue the command chmod
a+rwx content, additionally the path
may not contain any symbolic links.
chmod a+rwx /var/www/atutor/content”

I am not at all convinced by the idea of giving permissions to read,write and
execute as these Learning Management Systems say.
Let me know what you people have to say?
What is the best practise in such situations?

1 Answer
1

You're right to be concerned, and too many application vendors resort to telling you you need to grant full permissions to every user in order to avoid problems. They do this to minimize support calls, rather than to maximize security.

It does make sense that the web server account would need write access to certain directories to store uploads or generated files. And execute access on directories is required in Unix in order for the contents of the directory to be enumerated by a user, so that will also be necessary.

Ultimately, what you want is for the user account that is running the web server process (most likely www-data if you are using a packaged web server on Ubuntu) to own the folders in question, and then the standard permissions of 755 (rwxr-xr-x) are sufficient, or if you are on a shared system with other untrusted users, you'd want 700 (rwx------).

So, in your first example, assuming those directories already exist, you would need to do this:

Again, if you are on a shared system, you may wish to replace "755" with "700" on the second line. If you know that www-data is not the user running your web server, replace that item with the correct value. You can run the same two commands on the directories for the second system as well. In both cases, write access is probably necessary, but only for the single user running the web server, not for everyone.